WordPress has taken measures against supply chain attacks. These types of attacks were circulating through plugin updates where hackers added malicious code to the plug-in.
Since last weekend, WordPress has paused all updates for plugins. The updates will be paused until the plugin creator resets the password and logs in.
Stopping supply chain attacks
The measures were necessary to stop ongoing supply chain attacks. In these attacks, hackers misused login credentials captured in previous data breaches, which were often findable online. These data breaches may not have been WordPress-related, but hackers were able to log into WordPress environments of users who used the same passwords on different websites.
After logging in, hackers were able to add malicious code to the plugins. This code was spread through updates to all plugin users.
Researchers reported another vulnerability in the Forminator plugin for web forms, in April. The vulnerability would leave hundreds of thousands of Web sites vulnerable. This would be a vulnerability that could affect a relatively low number of Web sites. In January, the Better Search Replace plugin was found to be insecure and installed on more than one million websites worldwide.
Reset password
If a user needs to reset the password, it means that WordPress security researchers found the login credentials online. The content management system (CMS) further states that users who did not create plugins may also be asked to log in again if passwords were found to have been leaked. “You will receive an e-mail from the Plugin Directory when it is time to reset your password. You do not need to take any action before receiving a notification.”
Also read: WordPress plugin for web forms contains critical vulnerability